Security Risk:
Less Critical
Vulnerability:
Cross Site Scripting
Affected Versions:
CiviCRM Versions 5.10.2 and earlier
Fixed Versions:
CiviCRM Version 5.10.3 and 5.7.4
Publication Date:
Wednesday, February 20, 2019
Description:
The "Currency" element of a new pledge was not properly validated, which could potentially lead to a cross-site scripting attack.
Solutions:
Upgrade to the latest version of CiviCRM
Credits:
Patrick Figel of Greenpeace for reporting and fixing the issue
References:
security/core#16